Security update for Docker and dependencies SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:3084-1 Final 1 1 2016-12-12T08:35:04Z current 2016-12-12T08:35:04Z 2016-12-12T08:35:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for Docker and dependencies This update for Docker and its dependencies fixes the following issues: - fix runc and containerd revisions (bsc#1009961) docker: - Updates version 1.11.2 to 1.12.3 (bsc#1004490, bsc#996015, bsc#995058) - Fix ambient capability usage in containers (bsc#1007249, CVE-2016-8867) - Change the internal mountpoint name to not use ':' as that character can be considered a special character by other tools. (bsc#999582) - Add dockerd(8) man page. - Package docker-proxy (which was split out of the docker binary in 1.12). (bsc#995620) - Docker 'migrator' prevents installing 'docker', if docker 1.9 was installed before but there were no images. (bsc#995102) - Specify an 'OCI' runtime for our runc package explicitly. (bsc#978260) - Use gcc6-go instead of gcc5-go (bsc#988408) For a detailed description of all fixes and improvements, please refer to: https://github.com/docker/docker/releases/tag/v1.12.3 https://github.com/docker/docker/blob/v1.12.2/CHANGELOG.md https://github.com/docker/docker/releases/tag/v1.12.1 https://github.com/docker/docker/releases/tag/v1.12.0 containerd: - Update to current version required from Docker 1.12.3. - Add missing Requires(post): %fillup_prereq. (bsc#1006368) - Use gcc6-go instead of gcc5-go. (bsc#988408) runc: - Update to current version required from Docker 1.12.3. - Use gcc6-go instead of gcc5-go. (bsc#988408) rubygem-excon: - Updates version from 0.39.6 to 0.52.0. For a detailed description of all fixes and improvements, please refer to the installed changelog.txt. rubygem-docker-api: - Updated version from 1.17.0 to 1.31.0. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-OpenStack-Cloud-6-2016-1794,SUSE-SLE-Module-Containers-12-2016-1794 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20163084-1/ Link for SUSE-SU-2016:3084-1 https://lists.suse.com/pipermail/sle-security-updates/2016-December/002467.html E-Mail link for SUSE-SU-2016:3084-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1004490 SUSE Bug 1004490 https://bugzilla.suse.com/1006368 SUSE Bug 1006368 https://bugzilla.suse.com/1007249 SUSE Bug 1007249 https://bugzilla.suse.com/1009961 SUSE Bug 1009961 https://bugzilla.suse.com/974208 SUSE Bug 974208 https://bugzilla.suse.com/978260 SUSE Bug 978260 https://bugzilla.suse.com/983015 SUSE Bug 983015 https://bugzilla.suse.com/987198 SUSE Bug 987198 https://bugzilla.suse.com/988408 SUSE Bug 988408 https://bugzilla.suse.com/989566 SUSE Bug 989566 https://bugzilla.suse.com/995058 SUSE Bug 995058 https://bugzilla.suse.com/995102 SUSE Bug 995102 https://bugzilla.suse.com/995620 SUSE Bug 995620 https://bugzilla.suse.com/996015 SUSE Bug 996015 https://bugzilla.suse.com/999582 SUSE Bug 999582 https://www.suse.com/security/cve/CVE-2016-8867/ SUSE CVE CVE-2016-8867 page SUSE Linux Enterprise Module for Containers 12 SUSE OpenStack Cloud 6 containerd-0.2.4+gitr565_0366d7e-9.1 docker-1.12.3-81.2 runc-0.1.1+gitr2816_02f8fa7-9.1 ruby2.1-rubygem-docker-api-1.31.0-11.2 ruby2.1-rubygem-excon-0.52.0-9.1 containerd-0.2.4+gitr565_0366d7e-9.1 as a component of SUSE Linux Enterprise Module for Containers 12 docker-1.12.3-81.2 as a component of SUSE Linux Enterprise Module for Containers 12 ruby2.1-rubygem-docker-api-1.31.0-11.2 as a component of SUSE Linux Enterprise Module for Containers 12 ruby2.1-rubygem-excon-0.52.0-9.1 as a component of SUSE Linux Enterprise Module for Containers 12 runc-0.1.1+gitr2816_02f8fa7-9.1 as a component of SUSE Linux Enterprise Module for Containers 12 containerd-0.2.4+gitr565_0366d7e-9.1 as a component of SUSE OpenStack Cloud 6 docker-1.12.3-81.2 as a component of SUSE OpenStack Cloud 6 runc-0.1.1+gitr2816_02f8fa7-9.1 as a component of SUSE OpenStack Cloud 6 Docker Engine 1.12.2 enabled ambient capabilities with misconfigured capability policies. This allowed malicious images to bypass user permissions to access files within the container filesystem or mounted volumes. CVE-2016-8867 SUSE Linux Enterprise Module for Containers 12:containerd-0.2.4+gitr565_0366d7e-9.1 SUSE Linux Enterprise Module for Containers 12:docker-1.12.3-81.2 SUSE Linux Enterprise Module for Containers 12:ruby2.1-rubygem-docker-api-1.31.0-11.2 SUSE Linux Enterprise Module for Containers 12:ruby2.1-rubygem-excon-0.52.0-9.1 SUSE Linux Enterprise Module for Containers 12:runc-0.1.1+gitr2816_02f8fa7-9.1 SUSE OpenStack Cloud 6:containerd-0.2.4+gitr565_0366d7e-9.1 SUSE OpenStack Cloud 6:docker-1.12.3-81.2 SUSE OpenStack Cloud 6:runc-0.1.1+gitr2816_02f8fa7-9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20163084-1/ https://www.suse.com/security/cve/CVE-2016-8867.html CVE-2016-8867 https://bugzilla.suse.com/1007249 SUSE Bug 1007249